Get AD Group Membership recursivly using PowerShell

What is the cleanest (and fastest) way to get ALL groups that a single user is a member of. Im using PowerShell 2.0 to count th开发者_开发知识库e logged in users in Citrix and devide them into groups from the Active Directory. All users are member of 1 of the subgroups of a group called "VDI-Billing", but the number of nested groups between the user and the VDI-Billing group is not always the same. So i want to be able to get all groups (including nested ones) to compare to the list of members from the VDI-Billing group (1st level) so i get an overview.

Example:

VDI-Billing has a member group NL-VDI-T-Systems. That has multiple groups (that by themselves have multiple groups). But the overview must count all users (sub)member of NL-VDI-T-Systems.

So in the overview i should get: NL-VDI-T-Systems: 22 ITA-VDI-T-Systems: 25 And so forth.

Anyone know a neat little trick?

---

We write scripts that do this at my work all the time! With the Quest ActiveRoles Management Tools, a free snapin that makes working with Active Directory objects in Powershell WAY easier.

1. Install the free Quest ActiveRoles Management Tools from Quest
2. Add the PSSnapin to your profile so that you can access all the Powershell AD tools from the console - Add-PSSnapin Quest.ActiveRoles.ADManagement. If you want to write scipts that use the AD tools, simply add the command to the first line of your script.
3. Run the following command to get all direct and nested group that a user is a member of: Get-QADUser 'DOMAIN\USER' | foreach -Process {$_.memberof, $_.nestedmemberof} you can pipe this to a text file or CSV if you want by adding the Out-CSV or Out-File cmdlets at the end of the command.

This works like a charm for me. Let me know if you have any questions!

~Dan

---

The best way to do it is to take advantage of the TokenGroups attribute, instead of performing the recursive expansion on your own. You can find examples here and here.

EDIT: A more succinct example